What Is LastPassLastPass 1.72 Premium and the free LastPass 1.72 share PCMag's Editors' Choice honor for password management. I use it myself, as does PCMag Editor-in-chief Lance Ulanoff. With LastPass you memorize a single very strong password and let LastPass remember all your other Web site passwords. It can also fill in Web forms with your personal information.

Your personal data and saved passwords are stored online in encrypted form, but your master password isn't stored anywhere. The company makes it very clear that if you forget your master password, your data can't be accessed at all. You'll have to start over.

What Happened
There's no sure evidence that a breach or attack occurred. Administrators at LastPass simply noticed unexplained traffic for a few minutes on one of their servers. It's possible that some encrypted data was pulled from its databases, but the amount of data wasn't enough to contain information for many users.

That's about as much as anyone knows. LastPass is still investigating whether this was an attack at all, and if so what vector was used. It found no evidence of physical tampering and confirmed that no code was modified.

Once again, only encrypted data was potentially leaked. The only thing a thief could conceivably do with this data is attempt brute-force decryption by guessing at passwords. Success in such an endeavor is extremely unlikely; the odds are vanishingly small.

What LastPass Is Doing
LastPass has moved all services from the affected systems and shut them down. The company advises all users to choose a new, strong master password. Users who log in from an IP address other than their usual one get extra scrutiny. When you do change your password, LastPass is checking that the request came from the same IP block you normally use. And it's rolling out an even stronger one-way encryption algorithm.

//Related Articles

PCMag's Larry Seltzer has praised the company's response, saying "it proves that they take security seriously." Seltzer goes on to say, "When this is all over the likelihood that anyone was harmed will be remote and the overall security of LastPass will be greatly enhanced. It all speaks well of them."

Joe Siegrist, CEO at LastPass, admitted "We're pretty slammed with support issues." He pointed out that users can access their saved passwords offline. "Pull out the cable and login to their plugin if needed, or use pocket." For those who aren't ready to change the master password, Siegrist says "We're adding a quick way for people to delay changing their password so long as they use their email to validate again."

What You Can Do
Your passwords and personal information stored with LastPass are almost certainly not in danger. Even so, it's a good idea to change your master password, not just today but on a regular basis. It's really important to choose a strong password. The only person who could possibly be affected by this leak would be someone who chose a weak, easily guessed master password. Since you have a strong password, there's no need to worry.

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips...
More »

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service